On 3/30/06, Daniel Hartmeier <[EMAIL PROTECTED]> wrote:
> On Thu, Mar 30, 2006 at 01:58:19PM -0600, Bill Marquette wrote:
>
> > Any suggestions??? I'm guessing most people aren't seeing this as
> > they are connecting to multiple hosts, not a select few at a "decent"
> > connection rate.
>
> Is sq
On 03/30/2006 03:06:42 PM, Daniel T. Staal wrote:
FTP is a pain. It *needs* a proxy to go through a firewall.
.. because it imbeds network information in the application's
data stream.
The easiest way to get FTP working is to use OpenBSD 3.9
(i.e. the current release) or install the 3.9 ftp
On Thu, March 30, 2006 12:41 pm, IMS said:
> Hi all
>
> I'm newbie with pf, just try for a few weeks.
> Now I try to write ftp rule, but after reading from many book.
> I found that they guide to use ftp-proxy.
> But my production site don't allow to use that.
>
> how could I write rule for ftp?
>
The ftp-proxy mechanism has changed, please read the
PF-faq in http://www.openbsd.org/faq for update it.
Regards.
--- IMS <[EMAIL PROTECTED]> wrote:
> Hi all
>
> I'm newbie with pf, just try for a few weeks.
> Now I try to write ftp rule, but after reading from
> many book.
> I found that they
On Thu, Mar 30, 2006 at 01:58:19PM -0600, Bill Marquette wrote:
> Any suggestions??? I'm guessing most people aren't seeing this as
> they are connecting to multiple hosts, not a select few at a "decent"
> connection rate.
Is squid re-using the same source address AND port for all those
connecti
I'm running into a small issue with squid on OpenBSD 3.5 (I
know...we're working on our 3.9 build right now) and I'm wondering if
anyone has run into it, or has any suggestions (other than upgrade to
3.9 unless you know the fix is in there for sure).
We've been seeing 503 No route to host errors o
On Fri, Mar 31, 2006 at 12:41:11AM +0700, IMS wrote:
> Now I try to write ftp rule, but after reading from many book.
> I found that they guide to use ftp-proxy.
> But my production site don't allow to use that.
>
> how could I write rule for ftp?
FTP uses more than a single TCP connection. When
On Thu, Mar 30, 2006 at 06:34:02PM +, George Pontis wrote:
> For a rule that matches both UDP and TCP packets, is "flags S/SA"
> safely ignored for UDP ?
Yes, the rule matches UDP packets as if the "flags S/SA" wasn't there.
Daniel
Hi all
I'm newbie with pf, just try for a few weeks.
Now I try to write ftp rule, but after reading from many book.
I found that they guide to use ftp-proxy.
But my production site don't allow to use that.
how could I write rule for ftp?
I have about 200 clients. one firewall with nat rules.
All
Daniel Hartmeier wrote:
> ...
> Make sure that all your 'pass keep state' rules which can possibly
> apply to TCP packets also use 'flags S/SA' (so they only apply to
> initial SYNs), and that you block other TCP packets by default.
>
> ...
For a rule that matches both UDP and TCP packets, is "
On Thu, Mar 30, 2006 at 02:29:19PM +0200, Fredrik Widlund wrote:
> So, there are indeed 2 states, one without wscaling. I don't understand
> why the returning state (S->C) is created, and not matched to the
> initial NAT state? Is it because I create the state on "out" and is this
> then invalid?!
So, there are indeed 2 states, one without wscaling. I don't understand
why the returning state (S->C) is created, and not matched to the
initial NAT state? Is it because I create the state on "out" and is this
then invalid?! I use this normally without problems on many routers.
I have a very larg
Daniel Hartmeier wrote:
> Please enable debug logging (pfctl -xm), and repeat the procedure,
> capturing one failing connection from handshake to the point of failure
> as you already did. Then check /var/log/messages for any lines from pf
> related to this connection ('BAD state' messages, likely)
On Wed, Mar 29, 2006 at 03:07:10PM -0500, David Steinbrunner wrote:
> I currently have a working anchor that I would like to split into many
> anchors. The anchor is meant for the rules related to a table so the parent
> anchor defines the table and then the child anchors hold different types of
On Thu, Mar 30, 2006 at 11:51:36AM +0200, Fredrik Widlund wrote:
> Is this a wscale issue desyncing the session? I'm guessing here, but
> does PF set the window to 46 receiving the data push from the server,
> while C still believes it's 5792<<7 and sends out 59 bytes? What is
> wrong here, PF int
Daniel Hartmeier wrote:
> On Wed, Mar 29, 2006 at 01:07:10PM +0100, Ian Chard wrote:
>
>> Can someone please help me track this down?
>
> Looks like you don't create state on the initial TCP SYN packet, but on
> a subsequent packet (like, the SYN+ACK flowing in the reverse
> direction). That's us
Hi,
We're experiencing a problem where OpenBSD Packet Filter is involved,
and where the TCP session seems to become desynced. (OpenBSD 3.7 and 3.8)
The problem occurs when we send data to the one external server (not
ours), immediately after the handshake using NAT. client->server data
pipe break
On Wed, Mar 29, 2006 at 10:52:00PM +0200, Jonas Davidsson wrote:
> Tobias Weisserth wrote:
> > # inbound traffic (firewall)
> > pass in on $ext_if inet proto tcp from any to $fw_ext user proxy \
> > keep state
> > pass in on $ext_if inet proto tcp from to $fw_ext \
> > port 22 flags S/SA keep
18 matches
Mail list logo